Context Navigation

openssh.xml@ 45ab6c7

Visit:

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 45ab6c7 was 45ab6c7, checked in by Xi Ruoyao <xry111@…>, 3 years ago

more SVN prop clean up

Remove "$LastChanged$" everywhere, and also some unused $Date$

Property mode set to 100644

File size: 17.9 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "9eb9420cf587edc26f8998ab679ad390">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "51 MB (add 40 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes 20+ minutes,
17	irrespective of processor speed)">
18	]>
19
20	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21	<?dbhtml filename="openssh.html"?>
22
23	<sect1info>
24	<date>$Date$</date>
25	</sect1info>
26
27	<title>OpenSSH-&openssh-version;</title>
28
29	<indexterm zone="openssh">
30	<primary sortas="a-OpenSSH">OpenSSH</primary>
31	</indexterm>
32
33	<sect2 role="package">
34	<title>Introduction to OpenSSH</title>
35
36	<para>
37	The <application>OpenSSH</application> package contains
38	<command>ssh</command> clients and the <command>sshd</command> daemon.
39	This is useful for encrypting authentication and subsequent traffic over
40	a network. The <command>ssh</command> and <command>scp</command> commands
41	are secure implementations of <command>telnet</command> and
42	<command>rcp</command> respectively.
43	</para>
44
45	&lfs101_checked;
46
47	<bridgehead renderas="sect3">Package Information</bridgehead>
48	<itemizedlist spacing="compact">
49	<listitem>
50	<para>
51	Download (HTTP): <ulink url="&openssh-download-http;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download (FTP): <ulink url="&openssh-download-ftp;"/>
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download MD5 sum: &openssh-md5sum;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Download size: &openssh-size;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated disk space required: &openssh-buildsize;
72	</para>
73	</listitem>
74	<listitem>
75	<para>
76	Estimated build time: &openssh-time;
77	</para>
78	</listitem>
79	</itemizedlist>
80	<!--
81	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
82	<itemizedlist spacing="compact">
83	<listitem>
84	<para>
85	Required patch:
86	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
87	</para>
88	</listitem>
89	</itemizedlist>
90	-->
91	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
92
93	<bridgehead renderas="sect4">Optional</bridgehead>
94	<para role="optional">
95	<xref linkend="gdb"/> (for tests),
96	<xref linkend="linux-pam"/>,
97	<xref linkend="x-window-system"/>,
98	<xref linkend="mitkrb"/>,
99	<ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
100	<ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
101	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103	</para>
104
105	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106	<para role="optional">
107	<xref role="runtime" linkend="openjdk"/>,
108	<xref role="runtime" linkend="net-tools"/>, and
109	<xref role="runtime" linkend="sysstat"/>
110	</para>
111
112	<para condition="html" role="usernotes">
113	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
114	</para>
115	</sect2>
116
117	<sect2 role="installation">
118	<title>Installation of OpenSSH</title>
119
120	<para>
121	<application>OpenSSH</application> runs as two processes when connecting
122	to other computers. The first process is a privileged process and controls
123	the issuance of privileges as necessary. The second process communicates
124	with the network. Additional installation steps are necessary to set up
125	the proper environment, which are performed by issuing the following
126	commands as the <systemitem class="username">root</systemitem> user:
127	</para>
128
129	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
130	chown -v root:sys /var/lib/sshd &&
131
132	groupadd -g 50 sshd &&
133	useradd -c 'sshd PrivSep' \
134	-d /var/lib/sshd \
135	-g sshd \
136	-s /bin/false \
137	-u 50 sshd</userinput></screen>
138	<!--
139	<para>
140	Apply a patch to allow OpenSSH to build and function with
141	<application>Glibc-2.31</application> and later:
142	</para>
143
144	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
145	-->
146
147	<!-- Applied in 8.5p1
148	<para>
149	First, adapt <application>ssh-copy-id</application> to changes
150	in bash-5.1:
151	</para>
152
153	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
154
155	<para>
156	Next, fix an issue on platforms other than x86_64:
157	</para>
158	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
159	l1="#ifdef __NR_pselect6_time64"
160	l2=" SC_ALLOW(__NR_pselect6_time64),"
161	l3="#endif"
162	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
163	-i sandbox-seccomp-filter.c
164	fi</userinput></screen>
165	-->
166	<para>
167	Install <application>OpenSSH</application> by running the following
168	commands:
169	</para>
170
171	<screen><userinput>./configure --prefix=/usr \
172	--sysconfdir=/etc/ssh \
173	--with-md5-passwords \
174	--with-privsep-path=/var/lib/sshd &&
175	make</userinput></screen>
176
177	<para>
178	The testsuite requires an installed copy of <command>scp</command> to
179	complete the multiplexing tests. To run the test suite, first copy the
180	<command>scp</command> program to
181	<filename class="directory">/usr/bin</filename>, making sure that you
182	backup any existing copy first.
183	</para>
184
185	<para>
186	To test the results, issue: <command>make -j1 tests</command>.
187	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
188	</para>
189
190	<!-- commenting this, I get "all tests passed" [ ken ]
191	NB tests should be run as _user_ but the role in the comment is root
192
193	commenting [ bruce ]: There are a couple of tests that want root.
194	The log mentions that SUDO is not set. These skipped tests are
195	ignored and the end says 'all tests passed' even when not root
196
197	<para>
198	To run the test suite, issue the following commands:
199	</para>
200
201	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
202	grep FATAL check.log</userinput></screen>
203
204	<para>
205	If the above command produces no 'FATAL' errors, then proceed with the
206	installation, as the <systemitem class="username">root</systemitem> user:
207	</para>-->
208	<para>
209	Now, as the <systemitem class="username">root</systemitem> user:
210	</para>
211
212	<screen role="root"><userinput>make install &&
213	install -v -m755 contrib/ssh-copy-id /usr/bin &&
214
215	install -v -m644 contrib/ssh-copy-id.1 \
216	/usr/share/man/man1 &&
217	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
218	install -v -m644 INSTALL LICENCE OVERVIEW README* \
219	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
220	</sect2>
221
222	<sect2 role="commands">
223	<title>Command Explanations</title>
224
225	<para>
226	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
227	configuration files from being installed in
228	<filename class="directory">/usr/etc</filename>.
229	</para>
230
231	<para>
232	<parameter>--with-md5-passwords</parameter>: This enables the use of MD5
233	passwords.
234	</para>
235
236	<para>
237	<option>--with-pam</option>: This parameter enables
238	<application>Linux-PAM</application> support in the build.
239	</para>
240
241	<para>
242	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
243	location for the <command>xauth</command> binary for X authentication.
244	Change the location if <command>xauth</command> will be installed to a
245	different path. This can also be controlled from
246	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
247	omit this switch if <application>Xorg</application> is already installed.
248	</para>
249
250	<para>
251	<option>--with-kerberos5=/usr</option>: This option is used to
252	include Kerberos 5 support in the build.
253	</para>
254
255	<para>
256	<option>--with-libedit</option>: This option enables line editing
257	and history features for <command>sftp</command>.
258	</para>
259
260	</sect2>
261
262	<sect2 role="configuration">
263	<title>Configuring OpenSSH</title>
264
265	<sect3 id="openssh-config">
266	<title>Config Files</title>
267
268	<para>
269	<filename>~/.ssh/*</filename>,
270	<filename>/etc/ssh/ssh_config</filename>, and
271	<filename>/etc/ssh/sshd_config</filename>
272	</para>
273
274	<indexterm zone="openssh openssh-config">
275	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
276	</indexterm>
277
278	<indexterm zone="openssh openssh-config">
279	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
280	</indexterm>
281
282	<indexterm zone="openssh openssh-config">
283	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
284	</indexterm>
285
286	<para>
287	There are no required changes to any of these files. However,
288	you may wish to view the
289	<filename class='directory'>/etc/ssh/</filename> files and make any
290	changes appropriate for the security of your system. One recommended
291	change is that you disable
292	<systemitem class='username'>root</systemitem> login via
293	<command>ssh</command>. Execute the following command as the
294	<systemitem class='username'>root</systemitem> user to disable
295	<systemitem class='username'>root</systemitem> login via
296	<command>ssh</command>:
297	</para>
298
299	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
300
301	<para>
302	If you want to be able to log in without typing in your password, first
303	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
304	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
305	~/.ssh/authorized_keys on the remote computer that you want to log into.
306	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
307	computer and you'll also need to enter your password for the ssh-copy-id command
308	to succeed:
309	</para>
310
311	<screen><userinput>ssh-keygen &&
312	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
313
314	<para>
315	Once you've got passwordless logins working it's actually more secure
316	than logging in with a password (as the private key is much longer than
317	most people's passwords). If you would like to now disable password
318	logins, as the <systemitem class="username">root</systemitem> user:
319	</para>
320
321
322	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
323	echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
324
325	<para>
326	If you added <application>Linux-PAM</application> support and you want
327	ssh to use it then you will need to add a configuration file for
328	<application>sshd</application> and enable use of
329	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
330	passwords, if you've disabled password logins these commands are not
331	needed. If you want to use PAM, issue the following commands as the
332	<systemitem class='username'>root</systemitem> user:
333	</para>
334
335	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
336	chmod 644 /etc/pam.d/sshd &&
337	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
338
339	<para>
340	Additional configuration information can be found in the man
341	pages for <command>sshd</command>, <command>ssh</command> and
342	<command>ssh-agent</command>.
343	</para>
344	</sect3>
345
346	<sect3 id="openssh-init">
347	<title><phrase revision="sysv">Boot Script</phrase>
348	<phrase revision="systemd">Systemd Unit</phrase></title>
349
350	<para revision="sysv">
351	To start the SSH server at system boot, install the
352	<filename>/etc/rc.d/init.d/sshd</filename> init script included
353	in the <xref linkend="bootscripts"/> package.
354	</para>
355
356	<para revision="systemd">
357	To start the SSH server at system boot, install the
358	<filename>sshd.service</filename> unit included in the
359	<xref linkend="systemd-units"/> package.
360	</para>
361
362	<indexterm zone="openssh openssh-init">
363	<primary sortas="f-sshd">sshd</primary>
364	</indexterm>
365
366	<screen role="root"><userinput>make install-sshd</userinput></screen>
367	</sect3>
368	</sect2>
369
370	<sect2 role="content">
371	<title>Contents</title>
372
373	<segmentedlist>
374	<segtitle>Installed Programs</segtitle>
375	<segtitle>Installed Libraries</segtitle>
376	<segtitle>Installed Directories</segtitle>
377
378	<seglistitem>
379	<seg>
380	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
381	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
382	</seg>
383	<seg>
384	None
385	</seg>
386	<seg>
387	/etc/ssh,
388	/usr/share/doc/openssh-&openssh-version;, and
389	/var/lib/sshd
390	</seg>
391	</seglistitem>
392	</segmentedlist>
393
394	<variablelist>
395	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
396	<?dbfo list-presentation="list"?>
397	<?dbhtml list-presentation="table"?>
398
399	<varlistentry id="scp">
400	<term><command>scp</command></term>
401	<listitem>
402	<para>
403	is a file copy program that acts like <command>rcp</command> except
404	it uses an encrypted protocol
405	</para>
406	<indexterm zone="openssh scp">
407	<primary sortas="b-scp">scp</primary>
408	</indexterm>
409	</listitem>
410	</varlistentry>
411
412	<varlistentry id="sftp">
413	<term><command>sftp</command></term>
414	<listitem>
415	<para>
416	is an FTP-like program that works over the SSH1 and SSH2 protocols
417	</para>
418	<indexterm zone="openssh sftp">
419	<primary sortas="b-sftp">sftp</primary>
420	</indexterm>
421	</listitem>
422	</varlistentry>
423	<!-- Not installed anymore as of 8.5p1
424	<varlistentry id="slogin">
425	<term><command>slogin</command></term>
426	<listitem>
427	<para>
428	is a symlink to <command>ssh</command>
429	</para>
430	<indexterm zone="openssh slogin">
431	<primary sortas="b-slogin">slogin</primary>
432	</indexterm>
433	</listitem>
434	</varlistentry>
435	-->
436	<varlistentry id="ssh">
437	<term><command>ssh</command></term>
438	<listitem>
439	<para>
440	is an <command>rlogin</command>/<command>rsh</command>-like client
441	program except it uses an encrypted protocol
442	</para>
443	<indexterm zone="openssh ssh">
444	<primary sortas="b-ssh">ssh</primary>
445	</indexterm>
446	</listitem>
447	</varlistentry>
448
449	<varlistentry id="sshd">
450	<term><command>sshd</command></term>
451	<listitem>
452	<para>
453	is a daemon that listens for <command>ssh</command> login requests
454	</para>
455	<indexterm zone="openssh sshd">
456	<primary sortas="b-sshd">sshd</primary>
457	</indexterm>
458	</listitem>
459	</varlistentry>
460
461	<varlistentry id="ssh-add">
462	<term><command>ssh-add</command></term>
463	<listitem>
464	<para>
465	is a tool which adds keys to the <command>ssh-agent</command>
466	</para>
467	<indexterm zone="openssh ssh-add">
468	<primary sortas="b-ssh-add">ssh-add</primary>
469	</indexterm>
470	</listitem>
471	</varlistentry>
472
473	<varlistentry id="ssh-agent">
474	<term><command>ssh-agent</command></term>
475	<listitem>
476	<para>
477	is an authentication agent that can store private keys
478	</para>
479	<indexterm zone="openssh ssh-agent">
480	<primary sortas="b-ssh-agent">ssh-agent</primary>
481	</indexterm>
482	</listitem>
483	</varlistentry>
484
485	<varlistentry id="ssh-copy-id">
486	<term><command>ssh-copy-id</command></term>
487	<listitem>
488	<para>
489	is a script that enables logins on remote machines using local keys
490	</para>
491	<indexterm zone="openssh ssh-copy-id">
492	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
493	</indexterm>
494	</listitem>
495	</varlistentry>
496
497	<varlistentry id="ssh-keygen">
498	<term><command>ssh-keygen</command></term>
499	<listitem>
500	<para>
501	is a key generation tool
502	</para>
503	<indexterm zone="openssh ssh-keygen">
504	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
505	</indexterm>
506	</listitem>
507	</varlistentry>
508
509	<varlistentry id="ssh-keyscan">
510	<term><command>ssh-keyscan</command></term>
511	<listitem>
512	<para>
513	is a utility for gathering public host keys from a number of hosts
514	</para>
515	<indexterm zone="openssh ssh-keyscan">
516	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
517	</indexterm>
518	</listitem>
519	</varlistentry>
520
521	</variablelist>
522	</sect2>
523
524	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/openssh.xml@ 45ab6c7

Download in other formats: